How To Determine from Which Computer a User Logged On

This article was previously published under Q175062
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes the methods available to identify from which systema user logged on. You may choose from one or more of the following methods:

  • Windows NT Auditing

  • Microsoft Network Monitor (or other network tracing utility)

  • Using the Windows Internet Naming Service (WINS) database

  • Using the NetBIOS Remote Name Cache table

Windows NT Auditing

To determine from which system a user logged on with Windows NT Auditing,perform the following steps:

  1. Start User Manager for Domains.
  2. Click Audit from the Policies menu.
  3. Click to enable Success for the Logon and Logoff category. Optionally, you may also select the Failure check box.
After the above procedure has been implemented, Windows NT will create anevent log for each successful log on attempt. The log will appear like theexample below:

   Date:     10/13/97  Event ID:  528   Time:     10:32:11 AM  Source:  Security   User:     JoeSmith  Type:  Success Audit   Computer: MKTINGDOM  Category: Logon/Logoff   Description:   Logon/Logoff: Successful   Logon User Name: JoeSmith   Domain: MKTINGDOM   Logon ID: (0x0, 0x2D0D0)   Logon Type: 3   Logon Process: User32 Authentication Pkg:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0   Workstation Name: \\WKS2				

Network Monitor

To determine from which system a user logged on with Network Monitor,perform the following steps:
  1. Capture all incoming traffic to the domain controller(s). In order to reduce the size of the captured data:

    • If possible, include only the Primary or Backup Domain Controller that is most likely to validate the intruder.
    • Set a capture filter, including only the server message block (SMB) protocol.
    • Configure a large enough memory buffer through the Buffer Settings option in the Capture menu.
  2. After the data has been captured, set a display filter to only include:

    Protocol: SMB
    Property: Account Name
    Relation: Exists
This will display all the initial SMB session setup containing the username and the source media access control address.

For example:
Src Mac Addr: Dst Mac Addr: DescriptionWKS1          SUNKING       C session setup & X, Username = MariaH, and Ctree connect & X, Share = \\SUNKING\IPC$WKS2          SUNKING       C session setup & X, Username = JoeSmith, and Ctree connect & X, Share = \\SUNKING\IPC$WKS3          SUNKING       C session setup & X, Username = Administrator,and C tree connect & X, Share = \\SUNKING\IPC$

In the example above, WKS1 is the computer where the user is logging onfrom, SUNKING is the domain controller authenticating the request, and theDescription contains the Windows NT domain account being used.

NOTE: The Src Mac Addr may also been shown as a media access control or IPaddress if the NetBIOS name could not be resolved or the entry is not inthe Network Monitor address database.

Using the WINS Database

To determine from which system a user logged on using the WINS database,perform the following steps:

  1. Start WINS Manager.
  2. Click Show Database on the Mappings menu.
  3. Click Set Filter, type the user account name in the Computer Name criteria, and then click OK.
  4. In the Mappings list, the entry with the user account name and the 03h identifier maps to the IP address of the workstation from which the user logged on to the domain.

Using the NetBIOS Remote Name Table

To determine from which system a user logged on using the NetBIOS RemoteName Table, perform the following steps:

  1. From an MS-DOS command prompt, type the following, and then press Enter.

    net send <user name> "text message"

    where <user name> is the user account for the user you are attempting to locate.
  2. Type the following, and then press Enter.

    nbtstat -c
  3. As in the example above using the WINS Database, locate the user name that is associated with the 03h identifier and the corresponding IP address is that of the workstation.
For more information, please refer to the following Microsoft KnowledgeBase articles:

ARTICLE-ID: 157238
TITLE : How to Activate Security Event Logging in Windows NT 4.0

ARTICLE-ID: 173939
TITLE : How to Identify User Who Changed Administrator Password

ARTICLE-ID: 140714
TITLE : Distinguishing Windows NT Audit Event Records
secevent sec audit

Article ID: 175062 - Last Review: 12/05/2015 08:07:13 - Revision: 1.1

Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive KB175062